Internal users issue

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):

2.16

Describe the issue:
We have internal user and ldaps auth/authc

We put logs from k8s directly to OS with filebeat 7.12.1 and internal user filbeat
But in log messages i have error

Cannot retrieve roles for User [name=filebeat, backend_roles=[develop], requestedTenant=null] from ldap due to OpenSearchSecurityException[OpenSearchSecurityException[No user filebeat found]]; nested: OpenSearchSecurityException[No user filebeat found];
org.opensearch.OpenSearchSecurityException: OpenSearchSecurityException[No user filebeat found]

Same trouble, when i try to apply terraform resources with internal user login/password

There is similar problem here: Avoiding 'Cannot retrieve roles for User' with internaluser and LDAP

Hi @DmitriiKuvshinov,

Does the ldapsearch work for the user?

i.e:
env LDAPTLS_REQCERT=never ldapsearch -b "CN=<USERNAME>,..,.." -H ldaps://<ldap_server>:636 -D "CN=<user>,..,.." -w "password"

Are there any groups that the user filebeat belongs to with special characters, and/or blank spaces in the name?

Could you try the below and share the output:

curl --insecure -u filebeat:<ldap_password> -XGET https://<OS_node>:9200/_plugins/_security/authinfo?pretty

Thanks,
mj

And there are a errors in log file
OpenSearch try to login in notexisting domain

Could not follow referral to ldaps://DomainDnsZones.domain.local/DC=DomainDnsZones,DC=domain,DC=local
org.ldaptive.provider.ConnectionException: javax.naming.CommunicationException: DomainDnsZones.domain.local:636 [Root exception is javax.net.ssl.SSLHandshakeException: Hostname '[DomainDnsZones.domain.local]' does not match the hostname in the server's certificate 'CN=dc.domain.local']

Can you share your config.yml (note: please mask all sensitive info).

best,
mj

Users from ldap can login with write backend roles

but internal users want to login via ldap too

auth priority:

---
_meta:
  type: "config"
  config_version: 2

config:
  dynamic:
    http:
      anonymous_auth_enabled: true
      xff:
        enabled: false
        internalProxies: '192\.168\.0\.10|192\.168\.0\.11' # regex pattern
        #internalProxies: '.*' # trust all internal proxies, regex pattern
        #remoteIpHeader:  'x-forwarded-for'
        ###### see https://docs.oracle.com/javase/7/docs/api/java/util/regex/Pattern.html for regex help
        ###### more information about XFF https://en.wikipedia.org/wiki/X-Forwarded-For
        ###### and here https://tools.ietf.org/html/rfc7239
        ###### and https://tomcat.apache.org/tomcat-8.0-doc/config/valve.html#Remote_IP_Valve
    authc:
      basic_internal_auth_domain:
        description: "Authenticate via HTTP Basic against internal users database"
        http_enabled: true
        transport_enabled: true
        order: 0
        http_authenticator:
          type: basic
          challenge: true
        authentication_backend:
          type: internal
      ldaps:
        description: "Authenticate via LDAP or Active Directory"
        http_enabled: true
        transport_enabled: false
        order: 4
        http_authenticator:
          type: basic
          challenge: false
        authentication_backend:
          # LDAP authentication backend (authenticate users against a LDAP or Active Directory)
          type: ldap
          config:
            # enable ldaps
            enable_ssl: true
            # enable start tls, enable_ssl should be false
            enable_start_tls: false
            # send client certificate
            enable_ssl_client_auth: false
            # verify ldap hostname
            verify_hostnames: true
            pemtrustedcas_filepath: /etc/opensearch/domain_ca.pem
            hosts:
              - dc.domain.ru:636
            bind_dn: 'CN=ldap_opensearch,OU=OpenSearch,OU=Special accounts,DC=domain,DC=local'
            password: 'password'
            userbase: 'DC=domain,DC=local'
            # Filter to search for users (currently in the whole subtree beneath userbase)
            # {0} is substituted with the username
            usersearch: '(sAMAccountName={0})'
            # Use this attribute from the user as username (if not set then DN is used)
            username_attribute: 'sAMAccountName'
    authz:
      ldaps:
        description: "Authorize via LDAP or Active Directory"
        http_enabled: true
        transport_enabled: false
        authorization_backend:
          # LDAP authorization backend (gather roles from a LDAP or Active Directory, you have to configure the above LDAP authentication backend settings too)
          type: ldap
          config:
            # enable ldaps
            enable_ssl: true
            # enable start tls, enable_ssl should be false
            enable_start_tls: false
            # send client certificate
            enable_ssl_client_auth: false
            # verify ldap hostname
            verify_hostnames: true
            pemtrustedcas_filepath: /etc/opensearch/domain_ca.pem
            hosts:
              - dc.domain.ru:636
            bind_dn: 'CN=ldap_opensearch,OU=OpenSearch,OU=Special accounts,DC=domain,DC=local'
            password: 'password'
            rolebase: 'OU=OpenSearch,OU=Special accounts,DC=domain,DC=local'
            # Filter to search for roles (currently in the whole subtree beneath rolebase)
            # {0} is substituted with the DN of the user
            # {1} is substituted with the username
            # {2} is substituted with an attribute value from user's directory entry, of the authenticated user. Use userroleattribute to specify the name of the attribute
            rolesearch: '(member={0})'
            # Specify the name of the attribute which value should be substituted with {2} above
            userroleattribute: null
            # Roles as an attribute of the user entry
            userrolename: 'memberOf'
            #userrolename: memberOf
            # The attribute in a role entry containing the name of that role, Default is "name".
            # Can also be "dn" to use the full DN as rolename.
            rolename: cn
            # Resolve nested roles transitive (roles which are members of other roles and so on ...)
            resolve_nested_roles: true
            userbase: 'DC=domain,DC=local'
            # Filter to search for users (currently in the whole subtree beneath userbase)
            # {0} is substituted with the username
            usersearch: '(uid={0})'

Have you considered using the skip_users configuration setting?

i.e:

skip_users:
  - kibanaserver
  - filebeat 
  - 'cn=Jane Doe,ou*people,o=TEST'
  - '/\S*/'

See more details here: Active Directory and LDAP - OpenSearch Documentation

A config sample here: Active Directory and LDAP - OpenSearch Documentation

Best,
mj

Looks like short-time solution, but it’s work!
thank you!

1 Like